The presentation discusses the RPKI system and a recent incident where a threat actor gained access to an organization's RPKI dashboard using a leaked password. This led to unexpected changes being made to the organization's RPKI ROAs, causing a routing outage that disrupted internet connectivity. The presentation emphasizes the importance of strong passwords, multi-factor authentication, network security monitoring, and having an incident response plan to prevent similar incidents and increase routing resilience.

1. Presentation
RPKI: Enhancing Security
with Robust Deployment
Gerardo Viviers | 7-8 March 2024 | DKNOG 14

2. Gerardo Viviers | DKNOG 14 | 7-8 March 2024
Introduction
• RPKI: a framework for Internet routing security
• Helps to validate and verify routing information
• Prevents route hijacking and malicious activities
2

3. Gerardo Viviers | DKNOG 14 | 7-8 March 2024 3
RPKI System
External
Repositories
RIPE NCC ARIN APNIC
Validator
RPKI Repositories
Validated Cache
rsync/RRDP
RPKI-RTR
LACNIC AFRINIC
ROAs

4. Gerardo Viviers | DKNOG 14 | 7-8 March 2024 4
Routing Security using RPKI
RPKI repository
ASN K is authorised
to announce
pre
fi
x Y
RIRs
Trust Anchors

5. Gerardo Viviers | DKNOG 14 | 7-8 March 2024 4
Routing Security using RPKI
RPKI repository
ASN K is authorised
to announce
pre
fi
x Y
RIRs
Trust Anchors
I have the
network Y
K

6. Gerardo Viviers | DKNOG 14 | 7-8 March 2024 4
Routing Security using RPKI
RPKI repository
ASN K is authorised
to announce
pre
fi
x Y
RIRs
Trust Anchors
I have the
network Y
K

7. Gerardo Viviers | DKNOG 14 | 7-8 March 2024 4
Routing Security using RPKI
RPKI repository
ASN K is authorised
to announce
pre
fi
x Y
RIRs
Trust Anchors
I have the
network Y
K
I have the
network Y
X

8. Gerardo Viviers | DKNOG 14 | 7-8 March 2024 4
Routing Security using RPKI
RPKI repository
ASN K is authorised
to announce
pre
fi
x Y
RIRs
Trust Anchors
I have the
network Y
K
I have the
network Y
X

9. Gerardo Viviers | DKNOG 14 | 7-8 March 2024
The RPKI Incident
• On January 3, 2024, a RIPE NCC
member experienced a national outage
that lasted for several hours
• The outage was caused by unexpected
changes made to their RPKI ROAs
5

10. Gerardo Viviers | DKNOG 14 | 7-8 March 2024
The RPKI Incident
• These changes were done by a threat actor
that gained access to the RPKI Dashboard
in the RIPE NCC LIR Portal
• The threat actor gained access using a
leaked password!
6

11. Gerardo Viviers | DKNOG 14 | 7-8 March 2024
Impact of the Incident
• Globally routed routes originated by AS12479 dropped from
around 9,200 to 7,400
• Backbone carriers that reject RPKI-invalid routes stopped
carrying a large portion of the member's IP space
• The outage caused disruptions in Internet connectivity and
services provided by the member
7

12. Gerardo Viviers | DKNOG 14 | 7-8 March 2024
How the Member Resolved it
• The RIPE NCC member quickly identified the issue
- …and took steps to restore its RPKI certificates
• They worked together with the RIPE NCC for a resolution
• Improved security measures were taken to prevent this from
happening again in the future
8

13. Gerardo Viviers | DKNOG 14 | 7-8 March 2024
Key Lessons Learned
• The importance of strong passwords
and multi-factor authentication (MFA)
• The importance of network security
monitoring
• The importance of having a robust
incident response plan
9

14. Gerardo Viviers | DKNOG 14 | 7-8 March 2024
Becoming Resilient
• Use strong passwords
• Implement MFA
• Monitor networks for suspicious activity
• Develop and test an incident response plan
• Regularly monitor RPKI deployments
• Educate staff on the importance of RPKI
- and the potential impact of outages!
10

15. Gerardo Viviers | DKNOG 14 | 7-8 March 2024
Conclusions
• RPKI is a critical part of Internet routing security
• Learn from the recent RPKI Incident
• Implement the best practices to become more
resilient
• Increased investment in RPKI strengthens
security and stability
11

16. Questions ?
gviviers@ripe.net